HCL Workload Automation, Version 9.4

Working across firewalls

In the design phase of a HCL Workload Automation network, the administrator must know where the firewalls are positioned in the network, which fault-tolerant agents and which domain managers belong to a particular firewall, and which are the entry points into the firewalls. When this has been clearly understood, the administrator should define the behindfirewall attribute for some of the workstation definitions in the HCL Workload Automation database. In particular, if a workstation definition is set with the behindfirewall attribute to ON, this means that there is a firewall between that workstation and the HCL Workload Automation master domain manager. In this case, the workstation-domain manager link is the only link allowed between the workstation and its domain manager.

All HCL Workload Automation workstations should be defined with the behindfirewall attribute if the link with the corresponding domain manager, or with any domain manager in the HCL Workload Automation hierarchy right up to the master domain manager, is across a firewall.

When mapping an HCL Workload Automation network over an existing firewall structure, it does not matter which fault-tolerant agents and which domain managers are on the secure side of the firewall and which ones are on the non secure side. Firewall boundaries should be the only concern. For example, if the master domain manager is in a non secure zone and some of the domain managers are in secured zones, or vice versa, does not make any difference. The firewall structure must always be considered starting from the master domain manager and following the HCL Workload Automation hierarchy, marking all the workstations that have a firewall between them and their corresponding domain manager.

For all workstations with behindfirewall set to ON, the conman start and stop commands on the workstation, and the showjobs commands are sent following the domain hierarchy, instead of making the master domain manager or the domain manager open a direct connection to the workstation. This makes a significant improvement in security.

This attribute works for multiple nested firewalls as well. For extended agents, you can specify that an extended agent workstation is behind a firewall by setting the behindfirewall attribute to ON, on the host workstation. The attribute is read-only in the plan; to change it in the plan, the administrator must update it in the database and then re-create the plan.

See the HCL Workload Automation: User's Guide and Reference for details on how to set this attribute.